As of May 25, 2018, the General Data Protection Regulation of the European Union has been in place. This regulation, known as GDPR for short, sets a standard for how websites and businesses access, use, share, and protect data belonging to web users.
Despite being an EU legislation, the GDPR has far-reaching consequences, as websites across the globe must follow its rules if they want people in the EU to use their website.
Now, over a year and a half since the legislation came into effect, we’re going to take a look at some GDPR statistics that help us measure its impact. From compliance statistics to GDPR facts about fines, we will see who’s following the GDPR requirements, who isn’t, and what, if any, impact it has had on how we use the internet.
Keep reading to learn more about this controversial regulation.
As early as August 2018, only a couple of months after the GDPR came into effect, US companies were already paying attention to GDPR standards on personal data use. According to the regulation, personal data is any and all information that can be related to an identifiable individual, whether that data is sensitive or not.
According to one study, 78% of participants had taken the steps of conducting a GDPR gap assessment or implemented/updated their privacy policies. A lower number, 43% of US companies, updated breach notification policies and procedures, with 32% appointing a DPO (data protection officer), and 32% increasing their data privacy budget.
When it comes to the GDPR in statistics:
Nearly a third of all companies surveyed by one of the leading data privacy management companies reported spending over half a million dollars to become compliant with the GDPR in 2018 alone. A further 31% of companies planned to spend over half a million dollars to become compliant.
You might be wondering:
Can US companies be fined under GDPR?
That’s why they’re spending more on GDPR compliance efforts than companies elsewhere. 25%, or a quarter of them, spent over 1 million dollars compared to 10% in the UK and 7% in the EU on average. As GDPR applicability to US companies is a factor that can lead to penalties and fines, many are making the investment to ensure they’re not hit by steeper costs in the future.
Since the compliance date for the regulation, EU data protection agencies have claimed €359,205,300 in major GDPR penalties and fines. And that’s only the big ones!
Check this out:
While there were only €424,800 in fines in 2018, the figure skyrocketed to a mind-boggling €358,780,500 in 2019. By far the largest of these fines was the £183,000,000 charged to British Airways in the UK. The national airline carrier had to pay this after a major attack on its website resulted in the extraction of over 500,000 customer records.
There have been fines for US companies as well. Marriott International is a global operating US-based hospitality chain that was charged £99 million in fines by the Information Commissioner, or ICO, in the UK.
This happened after Marriott had acquired a competitor company, Starwood, only to find that its central reservation database had been hacked, leaking over five million passwords and eight million credit card records from 2014 to 2018.
This marks the single largest fine against a US business – but it’s not the only one. France’s data regulator fined Google a whopping €50 million over a lack of transparency and consent in its advertising network.
While many businesses all over the globe have been working to become compliant since the GDPR implementation date, some studies suggest that current efforts aren’t enough to fully match the goals of the regulation.
One study looked at personal data requests from companies operating in the UK across a range of industries, finding that 74% of them have not followed GDPR compliant requests for sharing copies of users’ personal data on request.
(Source: PrivSec Report)
During a survey conducted by RSM UK in cooperation with the European Business Awards, over 300 companies answered a series of questions to put together their GDPR readiness statistics. Many small-to-medium sized businesses had noted difficulty understanding and implementing their own GDPR compliant policies.
57% of the respondents attested that they were confident their businesses were compliant, while 13% weren’t sure. However, 30% of businesses who responded were not confident they were GDPR compliant.
In one of the most surprising statistics on GDPR, US companies have spent a total of $7.8 billion on GDPR compliance measures. Meanwhile, UK companies have spent $1.2 billion. These measures are thought to include GDPR gap studies, the hiring of over 500,000 Data Protection Officers, legal services, and more.
US companies in particular have been spending lots of money, likely to avoid the risk of multimillion dollar fines and fees like the ones Marriott International and Google had to face.
Data Protection Officers have been playing the largest role in the implementation of the GDPR.
The thing is:
These employees or teams hired by companies are dedicated solely to data protection. In 2017, there were, at most, 83,000 DPOs employed in the workforce. Nowadays, there are over half a million!
As things stand, the hiring frenzy for DPOs is not slowing down, as the demand for data protection officers has skyrocketed. Both inside and outside the EU, companies are taking data protection much more seriously. As a result, the DPO market is thriving.
(Source: Nieman Lab)
Aside from statistics on GDPR compliance, it’s important to note that there are companies in the US and abroad that are taking a different tactic to deal with the EU legislation. Even a year after the initial GDPR compliance date, over a thousand US news websites aren’t available in the EU. This has been their method of choosing non-compliance, making the statement that they have no intention to comply with EU personal data laws.
In light of the GDPR fines for US companies, some have been choosing noncompliance in a different way, by dumping and erasing all of the data they had held related to their customers up to this point. Given how valuable data is in today’s marketplace, this practice is not likely to become widespread, but it clearly shows that US companies have some options.
(Source: N Cipher Security)
In a study that asked if US citizens wanted the US to sign into legislation personal data protections similar to those in Europe, 33% said no. The others returned a variety of answers, with 44% saying the federal government should take over data privacy legislation, and 32% saying individual states should be in charge of these matters.
It’s apparent by these malware statistics that more than 4 in 10 individuals are seeking protection from cyber crimes, or various malware attacks.
While many are not fully agreed on how personal data privacy should be handled, it is becoming clear that GDPR’s high-profile fees and the awareness of personal data that it has raised is making others take notice of how their personal data is being protected.
The GDPR is clearly having an influence, but it is clear that both private companies and the bodies regulating them have been slow to adapt to the changes. Even in the EU, the post GDPR stats show that many companies do not fully understand the regulations or know how to implement them.
The amount of money being spent, as shown by the GDPR compliance statistics, shows that companies are clearly taking efforts seriously.
When it comes to GDPR enforcement, there have been several high profile cases and massive fines for major companies. However, the number of cases is still low. The fees might be high, but compared to the percentage of companies that are reportedly not GDPR compliant, we could expect the volume to be much higher in the GDPR statistics.
Hopefully, this look at the GDPR in numbers has helped you understand the impact of this legislation. Which stat did you find most fascinating? Let us know in the comments below.